It would be remiss of me to let “the HSBC situation” go by without comment. I may well return to it in future, as I know some of the people involved and will try to get some MLRO-relevant details from them, but for now I wanted to use “the situation” to illustrate the dangers of reliance. Reliance, just to recap, is the use by one member of the regulated sector of the due diligence checks done by another such member – so, a bank relying on DD done by a solicitor, or an estate agents on those done by a bank (or indeed within the same profession – bank on bank). I am frequently asked about the extent to which this is (a) permissible, and (b) wise – and, as you can imagine, the answer is rarely straightforward. I think part of the difficulty comes from the schizoid nature of the regulated beast: compliance people are by nature more cautious, and would prefer to do their own checks just to be certain, but they come under pressure from the more gung-ho sales staff who want speed and accommodation. (I simplify terrifically, of course, but the basic split is there.)
The nub of the reliance dilemma is expressed perfectly in paragraph 5.6.4 of the UK’s JMLSG Guidance Notes for the UK Financial Sector Part I: “The ML Regulations expressly permit a firm to rely on another person to apply any or all of the CDD measures, provided that the other person is listed in Regulation 17(2) [i.e. is also covered by the Regs or equivalent], and that consent to being relied on has been given. The relying firm, however, retains responsibility for any failure to comply with a requirement of the Regulations, as this responsibility cannot be delegated.” My favourite analogy for reliance (and indeed for the outsourcing of any part of the AML requirements) is this. It is akin to relying on someone else to do up your seatbelt for you: if there is an accident and it turns out that they haven’t done it up properly, it will be you catapulting through the windscreen while they stand on the kerb.
So what has this to do with “the HSBC situation”? Well, at a recent training session I was asked why we can’t just rely on CDD checks done by “reputable banks” – particularly the largest ones, with presumably the biggest compliance departments and the most generous budgets to do the deepest and best checks? If they’re happy with a client and his source of funds, surely we can be too? Hmmmm…..